I'm currently using my home computer as an FTP server and I'm extremely security conscious. I come from a family of computer fanatics, you see.

However, I've been noticing some fishy things going on as far as file placement and some random .txt's appearing and disappearing (only one or two times). I'm the kind of guy who keeps things very organized. The thought of a single person hacking a HOME computer is almost stupid, but I had to try to hack it from a friend's house to see what was going on, a simple port scan scared me. I may have a lot of services running but I don't have subseven running on there, as far as I know. As well as some of these other services that are alien to me.

Anyway, here's an NMAP log - The first one is nmap -oS -O -PN, the second output is nmap -oS -O -vv -PN. Both of these were outputted to .txt files and copy + pasted here. I'd like to see if I can get an audit as well and if I can I'd like to know some countermeasures I can apply to.. well.. counter any outside audits obviously. I didn't consider this until now, but it seems like it'd be a good idea at this point.

Also, I tried downloading the sub7 client and connecting to the server, no dice. I may have done something wrong though. Anyway, here's the 2 outputs starting with the one I used the -vv flag with.

nmap -oS -O -vv -PN ip

PORT STATE SERVICE21/tcp open ftp49/tcp open tacacs104/tcp open acr-nema118/tcp open sqlserv135/tcp open msrpc137/tcp open netbios-ns138/tcp open netbios-dgm139/tcp filtered netbios-ssn156/tcp open sqlsrv193/tcp open srmp251/tcp open unknown321/tcp open pip329/tcp open unknown362/tcp open srssend411/tcp open rmt412/tcp open synoptics-trap418/tcp open hyper-g429/tcp open ocs_amu445/tcp open microsoft-ds493/tcp open ticf-2551/tcp open cybercash560/tcp open rmonitor563/tcp open snews590/tcp open tns-cml739/tcp open unknown759/tcp open con763/tcp open cycleserv1015/tcp open unknown1025/tcp open NFS-or-IIS1385/tcp open atex_elmd1416/tcp open novell-lu6.21518/tcp open vpvd1520/tcp open atm-zip-office2001/tcp open dc2047/tcp open dls2067/tcp open dlswpn3333/tcp open dec-notes3389/tcp open ms-term-serv4321/tcp open rwhois5000/tcp filtered UPnP6346/tcp open gnutella27374/tcp open subseven32776/tcp open sometimes-rpc15

nmap -oS -O -PN ip

PORT STATE SERVICE1/tcp open tcpmux4/tcp open unknown8/tcp open unknown14/tcp open unknown16/tcp open unknown18/tcp open msp19/tcp open chargen20/tcp open ftp-data21/tcp open ftp26/tcp open unknown28/tcp open unknown29/tcp open msg-icp32/tcp open unknown36/tcp open unknown37/tcp open time38/tcp open rap42/tcp open nameserver43/tcp open whois45/tcp open mpm46/tcp open mpm-snd48/tcp open auditd54/tcp open xns-ch56/tcp open xns-auth57/tcp open priv-term59/tcp open priv-file60/tcp open unknown61/tcp open ni-mail63/tcp open via-ftp66/tcp open sql*net68/tcp open dhcpc69/tcp open tftp73/tcp open netrjs-379/tcp open finger81/tcp open hosts2-ns83/tcp open mit-ml-dev84/tcp open ctf86/tcp open mfcobol88/tcp open kerberos-sec89/tcp open su-mit-tg91/tcp open mit-dov94/tcp open objcall95/tcp open supdup97/tcp open swift-rvf101/tcp open hostname102/tcp open iso-tsap104/tcp open acr-nema111/tcp open rpcbind112/tcp open mcidas114/tcp open audionews115/tcp open sftp116/tcp open ansanotify117/tcp open uucp-path120/tcp open cfdptkt125/tcp open locus-map127/tcp open locus-con131/tcp open cisco-tna132/tcp open cisco-sys133/tcp open statsrv134/tcp open ingres-net135/tcp open msrpc136/tcp open profile137/tcp open netbios-ns138/tcp filtered netbios-dgm139/tcp open netbios-ssn140/tcp open emfis-data144/tcp open news147/tcp open iso-ip149/tcp open aed-512153/tcp open sgmp155/tcp open netsc-dev157/tcp open knet-cmp160/tcp open sgmp-traps161/tcp open snmp162/tcp open snmptrap165/tcp open xns-courier166/tcp open s-net168/tcp open rsvd171/tcp open multiplex175/tcp open vmnet176/tcp open genrad-mux178/tcp open nextstep181/tcp open unify184/tcp open ocserver186/tcp open kis187/tcp open aci193/tcp open srmp198/tcp open dls-mon199/tcp open smux201/tcp open at-rtmp207/tcp open at-7210/tcp open z39.50213/tcp open ipx215/tcp open softpc216/tcp open atls223/tcp open cdc224/tcp open unknown225/tcp open unknown226/tcp open unknown228/tcp open unknown229/tcp open unknown230/tcp open unknown232/tcp open unknown234/tcp open unknown235/tcp open unknown237/tcp open unknown238/tcp open unknown243/tcp open sur-meas247/tcp open subntbcst_tftp254/tcp open unknown259/tcp open esro-gen262/tcp open arcisdms264/tcp open bgmp265/tcp open maybeFW1267/tcp open unknown271/tcp open unknown273/tcp open unknown274/tcp open unknown275/tcp open unknown277/tcp open unknown280/tcp open http-mgmt284/tcp open unknown288/tcp open unknown289/tcp open unknown293/tcp open unknown297/tcp open unknown302/tcp open unknown303/tcp open unknown306/tcp open unknown309/tcp open entrusttime314/tcp open opalis-robot316/tcp open decauth317/tcp open zannet325/tcp open unknown326/tcp open unknown328/tcp open unknown329/tcp open unknown331/tcp open unknown334/tcp open unknown335/tcp open unknown337/tcp open unknown339/tcp open unknown340/tcp open unknown341/tcp open unknown344/tcp open pdap351/tcp open matip-type-b357/tcp open bhevent358/tcp open shrinkwrap360/tcp open scoi2odialog365/tcp open dtk367/tcp open mortgageware368/tcp open qbikgdp369/tcp open rpc2portmap370/tcp open codaauth2371/tcp open clearcase372/tcp open ulistserv373/tcp open legent-1376/tcp open nip377/tcp open tnETOS382/tcp open hp-managed-node383/tcp open hp-alarm-mgr387/tcp open aurp388/tcp open unidata-ldm393/tcp open dis394/tcp open embl-ndt395/tcp open netcp396/tcp open netware-ip397/tcp open mptn398/tcp open kryptolan399/tcp open iso-tsap-c2400/tcp open work-sol401/tcp open ups402/tcp open genie405/tcp open ncld406/tcp open imsp410/tcp open decladebug411/tcp open rmt412/tcp open synoptics-trap413/tcp open smsp414/tcp open infoseek415/tcp open bnet417/tcp open onmux418/tcp open hyper-g420/tcp open smpte422/tcp open ariel3424/tcp open opc-job-track426/tcp open smartsdp427/tcp open svrloc433/tcp open nnsp435/tcp open mobilip-mn437/tcp open comscm438/tcp open dsfgw439/tcp open dasp444/tcp open snpp445/tcp filtered microsoft-ds446/tcp open ddm-rdb447/tcp open ddm-dfm454/tcp open contentserver464/tcp open kpasswd5465/tcp open smtps466/tcp open digital-vrc467/tcp open mylex-mapd468/tcp open photuris469/tcp open rcp471/tcp open mondex472/tcp open ljk-login476/tcp open tn-tl-fd1478/tcp open spsc481/tcp open dvs482/tcp open bgs-nsi483/tcp open ulpnet486/tcp open sstats489/tcp open nest-protocol490/tcp open micom-pfs493/tcp open ticf-2498/tcp open siam499/tcp open iso-ill500/tcp open isakmp502/tcp open asa-appl-proto506/tcp open ohimsrv509/tcp open snare510/tcp open fcp511/tcp open passgo512/tcp open exec514/tcp open shell515/tcp open printer517/tcp open talk519/tcp open utime520/tcp open efs522/tcp open ulp529/tcp open irc531/tcp open conference534/tcp open mm-admin535/tcp open iiop539/tcp open apertus-ldp542/tcp open commerce545/tcp open ekshell548/tcp open afpovertcp549/tcp open idfp550/tcp open new-rwho553/tcp open pirp555/tcp open dsf556/tcp open remotefs557/tcp open openvms-sysipc558/tcp open sdnskmp560/tcp open rmonitor561/tcp open monitor563/tcp open snews565/tcp open whoami566/tcp open streettalk568/tcp open ms-shuttle569/tcp open ms-rome570/tcp open meter575/tcp open vemmi578/tcp open ipdd585/tcp open imap4-ssl588/tcp open cal589/tcp open eyelink590/tcp open tns-cml592/tcp open eudora-set594/tcp open tpip596/tcp open smsd597/tcp open ptcnameservice600/tcp open ipcserver605/tcp open unknown608/tcp open sift-uft610/tcp open npmp-local611/tcp open npmp-gui612/tcp open unknown613/tcp open unknown615/tcp open unknown622/tcp open unknown623/tcp open unknown624/tcp open unknown626/tcp open apple-imap-admin629/tcp open unknown631/tcp open ipp637/tcp open lanserver640/tcp open unknown642/tcp open unknown643/tcp open unknown644/tcp open unknown646/tcp open unknown647/tcp open unknown648/tcp open unknown655/tcp open unknown659/tcp open unknown661/tcp open unknown664/tcp open unknown666/tcp open doom667/tcp open unknown669/tcp open unknown682/tcp open unknown684/tcp open unknown685/tcp open unknown687/tcp open unknown688/tcp open unknown689/tcp open unknown691/tcp open resvc692/tcp open unknown693/tcp open unknown696/tcp open unknown698/tcp open unknown700/tcp open unknown702/tcp open unknown705/tcp open unknown706/tcp open silc709/tcp open entrustmanager710/tcp open unknown711/tcp open unknown712/tcp open unknown715/tcp open unknown716/tcp open unknown717/tcp open unknown721/tcp open unknown722/tcp open unknown724/tcp open unknown725/tcp open unknown727/tcp open unknown732/tcp open unknown736/tcp open unknown737/tcp open unknown738/tcp open unknown741/tcp open netgw743/tcp open unknown745/tcp open unknown746/tcp open unknown751/tcp open kerberos_master752/tcp open qrh753/tcp open rrh754/tcp open krb_prop755/tcp open unknown756/tcp open unknown757/tcp open unknown758/tcp open nlogin759/tcp open con760/tcp open krbupdate762/tcp open quotad764/tcp open omserv766/tcp open unknown770/tcp open cadlock771/tcp open rtip772/tcp open cycleserv2773/tcp open submit774/tcp open rpasswd777/tcp open unknown780/tcp open wpgs782/tcp open hp-managed-node783/tcp open spamassassin784/tcp open unknown785/tcp open unknown787/tcp open unknown793/tcp open unknown799/tcp open controlit800/tcp open mdbs_daemon801/tcp open device807/tcp open unknown809/tcp open unknown815/tcp open unknown817/tcp open unknown819/tcp open unknown822/tcp open unknown824/tcp open unknown826/tcp open unknown831/tcp open unknown834/tcp open unknown835/tcp open unknown841/tcp open unknown842/tcp open unknown847/tcp open unknown848/tcp open unknown856/tcp open unknown857/tcp open unknown858/tcp open unknown861/tcp open unknown864/tcp open unknown865/tcp open unknown870/tcp open unknown871/tcp open supfilesrv872/tcp open unknown874/tcp open unknown875/tcp open unknown877/tcp open unknown878/tcp open unknown879/tcp open unknown885/tcp open unknown886/tcp open unknown888/tcp open accessbuilder889/tcp open unknown890/tcp open unknown892/tcp open unknown895/tcp open unknown898/tcp open sun-manageconsole899/tcp open unknown900/tcp open unknown903/tcp open iss-console-mgr905/tcp open unknown908/tcp open unknown914/tcp open unknown915/tcp open unknown916/tcp open unknown917/tcp open unknown919/tcp open unknown921/tcp open unknown923/tcp open unknown925/tcp open unknown926/tcp open unknown934/tcp open unknown936/tcp open unknown937/tcp open unknown938/tcp open unknown940/tcp open unknown941/tcp open unknown942/tcp open unknown950/tcp open oftep-rpc951/tcp open unknown952/tcp open unknown954/tcp open unknown956/tcp open unknown957/tcp open unknown958/tcp open unknown960/tcp open unknown961/tcp open unknown962/tcp open unknown964/tcp open unknown969/tcp open unknown970/tcp open unknown971/tcp open unknown972/tcp open unknown973/tcp open unknown976/tcp open unknown977/tcp open unknown980/tcp open unknown982/tcp open unknown987/tcp open unknown988/tcp open unknown989/tcp open ftps-data994/tcp open ircs996/tcp open xtreelic997/tcp open maitrd998/tcp open busboy999/tcp open garcon1000/tcp open cadlock1002/tcp open windows-icfw1006/tcp open unknown1007/tcp open unknown1009/tcp open unknown1010/tcp open unknown1013/tcp open unknown1017/tcp open unknown1019/tcp open unknown1022/tcp open unknown1023/tcp open netvenuechat1025/tcp open NFS-or-IIS1029/tcp open ms-lsa1030/tcp open iad11040/tcp open netsaint1058/tcp open nim1059/tcp open nimreg1067/tcp open instl_boots1080/tcp open socks1083/tcp open ansoft-lm-11212/tcp open lupa1234/tcp open hotline1270/tcp open ssserver1347/tcp open bbn-mmc1349/tcp open sbook1350/tcp open editbench1352/tcp open lotusnotes1355/tcp open intuitive-edge1356/tcp open cuillamartin1357/tcp open pegboard1358/tcp open connlcli1360/tcp open mimer1361/tcp open linx1362/tcp open timeflies1364/tcp open ndm-server1365/tcp open adapt-sna1367/tcp open dcs1374/tcp open molly1376/tcp open ibm-pps1379/tcp open dbreporter1380/tcp open telesis-licman1383/tcp open gwha1392/tcp open iclpv-pm1393/tcp open iclpv-nls1394/tcp open iclpv-nlc1397/tcp open audio-activmail1398/tcp open video-activmail1399/tcp open cadkey-licman1400/tcp open cadkey-tablet1403/tcp open prm-nm-np1406/tcp open netlabs-lm1408/tcp open sophia-lm1409/tcp open here-lm1419/tcp open timbuktu-srv31420/tcp open timbuktu-srv41422/tcp open autodesk-lm1424/tcp open hybrid1426/tcp open sas-11427/tcp open mloadd1433/tcp open ms-sql-s1435/tcp open ibm-cics1436/tcp open sas-21443/tcp open ies-lm1445/tcp open proxima-lm1449/tcp open peport1452/tcp open gtegsc-lm1455/tcp open esl-lm1456/tcp open dca1457/tcp open valisys-lm1458/tcp open nrcabq-lm1459/tcp open proshare11460/tcp open proshare21465/tcp open pipes1466/tcp open oceansoft-lm1468/tcp open csdm1470/tcp open uaiact1478/tcp open ms-sna-base1480/tcp open pacerforum1481/tcp open airs1484/tcp open confluent1485/tcp open lansource1486/tcp open nms_topo_serv1487/tcp open localinfosrvr1488/tcp open docstor1489/tcp open dmdocbroker1495/tcp open cvc1496/tcp open liberty-lm1497/tcp open rfx-lm1502/tcp open shivadiscovery1503/tcp open imtc-mcs1505/tcp open funkproxy1509/tcp open robcad-lm1511/tcp open 3l-l11512/tcp open wins1516/tcp open vpad1519/tcp open vpvc1521/tcp open oracle1524/tcp open ingreslock1526/tcp open pdap-np1528/tcp open mciautoreg1532/tcp open miroconnect1535/tcp open ampr-info1538/tcp open 3ds-lm1539/tcp open intellistor-lm1542/tcp open gridgen-elmd1543/tcp open simba-cs1544/tcp open aspeclmd1546/tcp open abbaccuray1552/tcp open pciarray1600/tcp open issd1662/tcp open netview-aix-21663/tcp open netview-aix-31665/tcp open netview-aix-51666/tcp open netview-aix-61667/tcp open netview-aix-71670/tcp open netview-aix-101671/tcp open netview-aix-111680/tcp open CarbonCopy1762/tcp open landesk-rc1764/tcp open landesk-rc1935/tcp open rtmp1984/tcp open bigbrother1986/tcp open licensedaemon1987/tcp open tr-rsrb-p11988/tcp open tr-rsrb-p21989/tcp open tr-rsrb-p31991/tcp open stun-p21992/tcp open stun-p31993/tcp open snmp-tcp-port1996/tcp open tr-rsrb-port2001/tcp open dc2002/tcp open globe2005/tcp open deslogin2008/tcp open conf2013/tcp open raid-am2014/tcp open troff2017/tcp open cypress-stat2020/tcp open xinupageserver2021/tcp open servexec2024/tcp open xinuexpansion42025/tcp open ellpack2026/tcp open scrabble2028/tcp open submitserver2033/tcp open glogger2042/tcp open isis2046/tcp open sdfunc2064/tcp open dnet-keyproxy2067/tcp open dlswpn2068/tcp open advocentkvm2105/tcp open eklogin2111/tcp open kx2201/tcp open ats2232/tcp open ivs-video2307/tcp open pehelp2501/tcp open rtsclient2564/tcp open hp-3000-telnet2605/tcp open bgpd2766/tcp open listen2784/tcp open www-dev2809/tcp open corbaloc3001/tcp open nessusd3045/tcp open slnp3049/tcp open cfs3052/tcp open PowerChute3128/tcp open squid-http3141/tcp open vmodem3268/tcp open globalcatLDAP3269/tcp open globalcatLDAPssl3292/tcp open meetingmaker3299/tcp open saprouter3306/tcp open mysql3389/tcp open ms-term-serv3397/tcp open saposs3421/tcp open bmap3531/tcp open peerenabler3689/tcp open rendezvous3985/tcp open mapper-mapethd3986/tcp open mapper-ws_ethd4002/tcp open mlchat-proxy4008/tcp open netcheque4045/tcp open lockd4133/tcp open nuts_bootp4144/tcp open wincim4444/tcp open krb5244557/tcp open fax4559/tcp open hylafax4987/tcp open maybeveritas5000/tcp filtered UPnP5002/tcp open rfe5009/tcp open airport-admin5011/tcp open telelpathattack5100/tcp open admd5101/tcp open admdog5191/tcp open aol-15192/tcp open aol-25193/tcp open aol-35236/tcp open padl2sim5300/tcp open hacl-hb5301/tcp open hacl-gs5302/tcp open hacl-cfg5303/tcp open hacl-probe5305/tcp open hacl-test5308/tcp open cfengine5405/tcp open pcduo5490/tcp open connect-proxy5500/tcp open hotline5520/tcp open sdlog5540/tcp open sdreport5631/tcp open pcanywheredata5713/tcp open proshareaudio5715/tcp open prosharedata5800/tcp open vnc-http5803/tcp open vnc-http-35901/tcp open vnc-16001/tcp open X11:16002/tcp open X11:26003/tcp open X11:36004/tcp open X11:46007/tcp open X11:76008/tcp open X11:86017/tcp open xmail-ctrl6101/tcp open VeritasBackupExec6105/tcp open isdninfo6111/tcp open spc6112/tcp open dtspc6142/tcp open aspentec-lm6147/tcp open montage-lm6346/tcp open gnutella6347/tcp open gnutella26400/tcp open crystalreports6588/tcp open analogx6666/tcp open irc6701/tcp open carracho6881/tcp open bittorent-tracker7000/tcp open afs3-fileserver7004/tcp open afs3-kaserver7006/tcp open afs3-errors7070/tcp open realserver7201/tcp open dlip7273/tcp open openmanage7464/tcp open pythonds7597/tcp open qaz7938/tcp open lgtomapper8007/tcp open ajp128009/tcp open ajp138081/tcp open blackice-icecap8892/tcp open seosload9050/tcp open tor-socksport9090/tcp open zeus-admin9100/tcp open jetdirect9101/tcp open jetdirect9102/tcp open jetdirect9107/tcp open jetdirect9111/tcp open DragonIDSConsole9152/tcp open ms-sql20009999/tcp open abyss10082/tcp open amandaidx11371/tcp open pksd12000/tcp open cce4x12345/tcp open NetBus13706/tcp open VeritasNetbackup13708/tcp open VeritasNetbackup13709/tcp open VeritasNetbackup13711/tcp open VeritasNetbackup13712/tcp open VeritasNetbackup13716/tcp open VeritasNetbackup13718/tcp open VeritasNetbackup13721/tcp open VeritasNetbackup13783/tcp open VeritasNetbackup14141/tcp open bo2k15126/tcp open swgps15151/tcp open bo2k16080/tcp open osxwebadmin16959/tcp open subseven17007/tcp open isode-dua17300/tcp open kuang218184/tcp open opsec_lea19150/tcp open gkrellmd22273/tcp open wnn622321/tcp open wnn6_Tw22370/tcp open hpnpd27003/tcp open flexlm327004/tcp open flexlm427005/tcp open flexlm527007/tcp open flexlm727008/tcp open flexlm827374/tcp filtered subseven27665/tcp open Trinoo_Master31416/tcp open boinc-client32770/tcp open sometimes-rpc332771/tcp open sometimes-rpc532776/tcp open sometimes-rpc1532779/tcp open sometimes-rpc2132786/tcp open sometimes-rpc2532787/tcp open sometimes-rpc2738037/tcp open landesk-cba44442/tcp open coldfusion-auth44443/tcp open coldfusion-auth50002/tcp open iiimsf54320/tcp open bo2k61441/tcp open netprowler-sensor

As you can see the second output shows services of about 4+ backdoors and some network monitoring/computer monitoring softwares as well as a nessus server that I don't know the username/password to if it even exists.

Anyway, any constructive criticism or other comments are appreciated, I could use the help.

I was getting the issue because I was scanning outside of my network, not scanning my network's IP Addresses, my guess is your doing something relatively similar to this. If I had to give it a random wack answering this question, I'd guess that maybe it's our ISP trying to cut down on some malicious looking traffic coming from us so something goes on to where it'll return false reports of open ports on the specified machine. My recommendation for this is try scanning from the LAN itself to the designated computer & if you don't want to do that, perhaps run a less robust scan, maybe specifying a certain amount of ports individually or something similar to a -p1-10 parameter, etc while performing a scan, you may get more positive outputs! By the way remove the results to your nmap scan, it's pretty long, if you want to show it upload it in a .txt file and link it out to a server. Good luck!

Thanks for the input guys, but I figured out my problem and was actually able to audit my server from a buddy's house by about 5AM EST. It took a call to my brother in Arizona who actually has a degree in Network Security heh. He showed me one cool trick he had up his sleeve and I was able to get in two different ways and the Sub7 port ended up being a false alarm as far as I know, but I reformatted and closed all previous holes anyway just in case. I'm running the server on CentOS with a more secure FTP as well.

Thanks anyway guys. I'm sure the forum will come in handy for many other things in the future :], I plan on sticking around since you all seem nice, honestly I was expecting negative responses.

Since this is a home router I'm guessing that the DMZ option might have been enabled to forward all inbound traffic to a given IP address. Since it's most likely doing NAT one way to achieve this is to route all inbound TCP connections to the DMZ host. I've not tested this but it sound plausible at least.

Wow! Went away for a holiday weekend, and came back to see this. Certainly is similar, don, although I'll hold my judgement. Seems, anyway, to be a little more thought put in, prior to the initial post, and appears to be a bit more legitimate. Regardless, steirks, glad you got your situation figured out, a little bit further.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'